CEOs of large global companies are uncomfortable making cybersecurity decisions. They prefer to talk about resilience rather than cybersecurity and place trust in their chief information security officers (CISOs) to take care of the cybersecurity, a survey by Oxfort University and cybersecurity consultancy ISTARI shows.
“The findings present an opportunity for CISOs to proactively encourage their CEOs to move towards a state of informed trust”, Michael Smets, Professor of Management at Said Business School and Oxford University, Manuel Hepfer and Rashmy Chatterjee, Head of Knowledge and Insight and CEO respectively, ISTARI, write presenting the survey in a blog post at World Economic Forum.
The survey comprises 37 CEOs of large global companies from the US, Europe and Asia.
These are three things CISOs need to know to forge an effective cyber resilience partnership between CISO and CEO, the authors write:
- Uncomfortable making cybersecurity decisions
Although 100% of the CEOs insisted that they feel accountable for cybersecurity, 72% admitted to being uncomfortable making decisions in cybersecurity.
Most CEOs have moved up the ranks through traditional business domains, such as finance, operations or marketing. Very few started their career in technology, let alone cyber, and then became a CEO. As a result, very few are familiar with information technologies and cybersecurity systems.
One CEO of an $8 billion European company succinctly highlighted that: “The CIO (Chief information officer) came to present at an executive meeting and asked us how many servers we thought the company had. The lowest estimate in the room was four, and the highest 250. The reality was more than 4,000.”
But when a serious cyberattack happens, such a lack of familiarity can inhibit a CEO’s ability to make sound decisions. The discomfort on the CEO’s part presents an opportunity for CISOs to help their CEOs become more comfortable in this area.
They can forge a stronger relationship to integrate technology and business imperatives in the pursuit of cyber resilience.
- Talk resilience, not cybersecurity
Many CEOs spontaneously suggested we speak to their CISO instead, or at least invite them along. When the meeting with the CEO started, we could sense palpable anxiety about covering cybersecurity single-handedly.
But a minor change to our approach significantly changed the dynamics in the interviews: framing our conversation in terms of business resilience. When we asked, for instance, what made their company resilient during the COVID-19 pandemic, CEOs were subsequently comfortable moving to a conversation about cyber resilience. Although our interviews were scheduled for one hour, many CEOs stayed longer because, as they told us, they enjoyed the discussion about business and cyber resilience.
The importance of cyber resilience was further highlighted by those CEOs who had led their company through a serious cyberattack. One of their biggest regrets was focusing on cybersecurity protection, not resilience.
Experiencing an attack made them understand that perfect cybersecurity protection is a losing game. Instead, they started to see cyberattacks as a ‘predictable surprise’ that every organization can suffer from. They thus shifted their strategic priority to improving their organization’s cyber resilience.
This insight from the CEOs presents an opportunity for CISOs to frame their cyber strategy in terms of resilience, not cybersecurity protection, the survey says.
A few CISOs have reached out after reading the research, with one saying: “I’ve tuned our cyber strategy toward cyber resilience, and the message is landing really well across the business.”
- CEOs blindly trust their CISOs, which is good and bad
All the CEOs trusted their cybersecurity teams to do their job. That is generally a good thing. Yet, those CEOs who had suffered an attack regretted having unthinkingly trusted their cybersecurity teams. Blind trust to them meant that they had delegated responsibility and understanding to technical experts without being able to comprehend or critically challenge them fully.
When the company suffered an attack, delegation was no longer an option for the CEOs.
Unlike in other more traditional areas, such as marketing or finance, CEOs lacked experience or intuition on moving forward in the cyber crisis. But having unthinkingly trusted experts before, the attack meant they had to put the company’s fate in the hands of people who usually are much further down in the decision-making hierarchy, something they would typically not do.
The report says this presents an opportunity for CISOs to proactively encourage their CEOs to stop blindly trusting their cybersecurity teams and move to a state of informed trust instead.
“To achieve this, CISOs can ask their CEO to commission an external audit, just like they commission financial audits. Such unbiased advice from external experts who report their findings directly to the CEO builds informed trust between the CEO and the CISO, while uncovering any blind spots the company might suffer from.”